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DETAILED ACTION 
Response to Amendment 

A request for continued examination under 37 CFR 1 .1 14, including the fee set forth in 
37 CFR 1.17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.1 14. Applicant's submission filed on 4/10/2006 has been entered. Claims 1, 14 and 20 
have been amended. Claims 1-20 are pending in the application. 

Response to Arguments 
Applicant's arguments filed April 10, 2006 have been fully considered but are not found 
persuasive in view of the new ground(s) of rejection set forth below. 

As address below, the claim 1 is anticipated by S. Ma, et aL, "EventMiner: An 
integrated mining tool for Scalable Analysis of Event Data", May 21, 2001, 
www.research.ibm.com , in view of D. Kranzlmuller, S. Gradbner, J. Volkert, "Event graph 
visualization for debugging large applications", Proc. of the SIGMETRICS symposium on 
Parallel and distributed tools, Philadelphia, PA, United States, Pages: 108 - 1 17 (hereinafter 
Kranzlmuller). 

The cited prior art Ma reference teaches in Fig. 7 and the last paragraph of the Page 12 
plotting the primary attribute (e.g., with the attribute values indicating the troublesome hosts 
having significantly high event counts) versus time with the attribute values for events in a 
communication network and the primary attribute is selected from a plurality of attributes related 
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to the one or more significant measurements such as the co-occurrences (i.e., the total number of 
times that two hosts generate events within a predefined time window), the conditional 
probability of the two hosts (i.e., the probability of a host generating an event given the 
observation that the other host has generated an event), the chi-squared test and so on. Moreover, 
the Fig. 4 shows the coloring of the events having the seconary attribute with the patterns 
indicating the authentication failure and SNMP request in order to differentiate using the 
coloring the events with authentication failure from other events. A pattern label is assigned to 
the events falling into the same pattern. Finally, the operator can view different event attributes 
by switching menus (Fig. 6). 

Ma has taught in Fig. 7 and the last paragraph of the Page 12 plotting the primary 
attribute (e.g., with the attribute values indicating the troublesome hosts having significantly high 
event counts) versus time with the attribute values for events in a communication network. Ma 
has also taught a plurality of attributes related to the one or more significant measurements such 
as the co-occurrences (i.e., the total number of times that two hosts generate events within a 
predefined time window), the conditional probability of the two hosts (i.e., the probability of a 
host generating an event given the observation that the other host has generated an event), the 
chi-squared test and so on wherein the attribute values are plotted in the same plot. It is clear that 
Ma discloses attributes including categorical attributes of the hosts, event types, severity of the 
events, etc. See Figs. 2, 6, 7 and 9. 

In Ma many significant event patterns are simultaneously identified within a single plot 
without the operator's switching between the various event attributes. 
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Ma discloses display label to the events such as "Link down of host A", "node down of 
host B", "authentication failure of host A", etc., including the colors for coloring the different 
patterns that indicate the attribute values of the primary attribute such as the co-occurrences of 
some specific events within a predefined time window. 

Ma discloses a secondary display label including the colors for coloring the different 
patterns for the events in the communication network that indicate the attribute values of the 
primary attribute such as the co-occurrences of some specific events within a predefined time 
window. 

Ma teaches in Fig. 5(b) displays two different attributes for the events: Figs. 2 and 4 
show y-axis is the host name attribute as well as the coloring of attribute such as "authentication 
failure " events in red and "SNMP request events in green; therefore, at least two event 
attributes such as host name, authentication failure, SNMP request have been simultaneously 
monitored in the plot of Figs. 2 and 4 . The menu options shown in Fig. 6 allow for the y-axis 
attribute mappings be changed. Moreover, Ma teaches mapping a plurality of attributes to item 
and viewing both numerical attribute and categorical attribute on a same plot in Fig. 7 (See Page 
10). Thus, Ma at least teaches or suggests the claim limitation of viewing a secondary attribute of 
said each event together with the primary attribute on said display. 

Moreover, Kranzlmuller teaches viewing a plurality of attributes P0-P7 for the events in a 
communication network. Kranzlmuller teaches viewing a secondary categorical attribute (e.g., an 
event belonging to the category P0) of said each event together with the primary categorical 
attribute (e.g., an event belonging to the category PI) on said display (See Page 109, Fig. 2). 
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It would have been obvious to one of the ordinary skill in the art at the time the invention 
was made to have incorporated Kranzlmuller's teaching into Ma to view a plurality of attributes 
related to the events on the same display because Ma at least suggests the claim limitation of 
viewing a secondary attribute of said each event together with the primary attribute on said 
display at least by the means of mapping of the secondary attribute and coloring the secondary 
attribute and therefore the secondary attribute and the primary attribute are distinctly viewed ( See 
Figs. 2 and 4 of Ma wherein a plurality of secondary attributes are colored so as to be viewed. 
Although the menu options are used in Fig. 6 of Ma to switch the primary attribute to the 
another attribute, the secondary attribute can be viewed by the coloring mechanism as disclosed 
and can be further queried and displayed in different plots on the same display ). 

One of the ordinary skill in the art would have been motivated to do so such that the 
inter-process dependency among events and event categorical attributes are visualized 
(Kranzlmuller Page 109). 

Specification 

The disclosure is objected to because of the following informalities: on line 5 of the claim 
1, "each the events" should be "said events". Appropriate correction is required. 

Claim Objections 

Claim 1 is objected to because of the following informalities: on line 5 of the claim 1, 
"each the events" should be "said events".. Appropriate correction is required. 
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Claim Rejections - 35 USC § 101 
35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

The base claim 1 recite a method of monitoring events in a computer network and the 
claim 10 recites "a computer program containing a program code to carry out the steps of the 
method of claim 1". Thus, the claim l's method is a computer implemented method claim. The 
claim 1 recites steps in a computer program. 

Patentable subject matter is held to exclude laws of nature, natural phenomena, and 
abstract ideas . Diamond v. Diehr, 450 U.S. 175, 185, 101 S.Ct 1048, 1056 (1981). Applicants' 
claim 1 recites steps in a computer program, which is not a process, and thus the claim 1 is 
nonstatutory. 

Only an applicant's claims are entitled to the protection of the patent system; therefore 
claims, if expressing ideas in a mathematical form, must describe something beyond the 
manipulation of ideas in order to qualify as patentable subject matter. In re Warmer dam, at 
1360. Given the absence of any practical effect or significant independent physical acts, the 
applicants' claim fails to adequately define the claimed invention within the domain of 
patentable subject matter. 

The claimed invention as a whole must accomplish a practical application. That is, it 
must produce a "useful, concrete and tangible result." State Street, 149 F.3d at 1373, 47 
USPQ2d at 1601-02. The purpose of this requirement is to limit patent protection to inventions 
that possess a certain level of "real world" value, as opposed to subject matter that represents 
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nothing more than an abstract idea or mathematical concept, or is simply a starting point for 
future investigation or research (Brenner v. Manson, 383 U.S. 519, 528-36, 148 USPQ 689, 693- 
96); In re Ziegler, 992, F.2d 1 197, 1200-03, 26 USPQ2d 1600, 1603-06 (Fed. Cir. 1993)). 
Accordingly, a complete disclosure should contain some indication of the practical application 
for the claimed invention, i.e., why the applicant believes the claimed invention is useful. Given 
the absence of any practical effect or significant independent physical acts, the applicants' claim 
fails to adequately define the claimed invention within the domain of patentable subject matter. 

Claims 2-1 1, 16-17 are rejected for the same reason set forth in above. 

The claim 1 1 recite "said program code being stored on data carrier". It is suggested that 
the preamble be amended to recite -said program code being stored on a computer readable 
medium." 

The claim 13 recites "a computer usable medium". It is suggested that the preamble be 
amended to recite -a computer readable medium." 

The claim 14 recites "a program storage device readable by machine". It is suggested 
that the preamble be amended to recite -a computer readable medium." 

The claim 15 recites "a computer usable medium". It is suggested that the preamble be 
amended to recite -a computer readable medium." 

Claim Rejections - 35 USC § 112 
The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 
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Claims 1-20 are rejected under 35 U.S.C. 1 12, second paragraph, as being indefinite for 
failing to particularly point out and distinctly claim the subject matter which applicant regards as 
the invention. 

For example, the claim 1 recites "attribute values allocated to a given set of attributes of 
said each event", "various event attributes", "a primary attribute of the events", "a second 
display label to the events indicating the attribute values of the attributes", "a secondary attribute 
of said each event". It is confusing whether the attributes as recited in the claim 1 are associated 
with a plurality of events or a single event. It is further confusing whether the attribute values as 
recited in the claim 1 are associated with a plurality of attributes or a single attribute such as a 
primary attribute or a secondary attribute. Clarification is required. 

Although multiple attribute values related to the primary attribute can be presented on the 
same display, it is not ascertained that the attribute values are allocated to a plurality of attributes 
or to a single primary attribute as applicant's claim 1 later recites "a secondary attribute". 
Moreover, it is not ascertained from the claim invention set forth in the claim 1 whether the 
claim limitation of "attributes" refer to numerical attributes or categorical attributes or the 
display coloring attributes. Applicant failed to particularly point out and distinctly claim the 
subject matter which applicant regards as invention. 

Claims 2-13 and 15-19 depend upon the claim 1 and are rejected due to their dependency 
on the claim 1. 

The claim 14 is subject to the same rationale of rejection set forth in the claim 1 . 
The claim 20 is subject to the same rationale of rejection set forth in the claim 1 . 
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Claim 10 recites the limitation "the steps 11 in line 1 of the claim. There is insufficient 
antecedent basis for this limitation in the claim. 

Claim 1 1 recites the limitation "the steps" in line 1 of the claim. There is insufficient 
antecedent basis for this limitation in the claim. 

Claim 12 recites the limitation "the steps" in line 2 of the claim and "the device" in lines 
1-2 of the claim. There is insufficient antecedent basis for this limitation in the claim. 

Claim 13 recites the limitation "the steps" in line 4 of the claim. There is insufficient 
antecedent basis for this limitation in the claim. 

Claim 15 recites the limitation "the functions" in lines 4-5 of the claim. There is 
insufficient antecedent basis for this limitation in the claim. 

Claim 20 recites the limitation "the method" in line 2 of the claim. There is insufficient 
antecedent basis for this limitation in the claim. 

The scope of claim 20 is confusing as it is unclear whether an apparatus (i.e., an article of 
manufacture) or a method (i.e., a method) is being claimed. Clarification is required. 



Claim Rejections - 35 USC § 103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 
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Claims 1-20 are rejected under 35 U.S.C. 103(a) as being unpatentable over S. Ma, et al., 
"EventMiner: An integrated mining tool for Scalable Analysis of Event Data", May 21, 2001, 
www.research.ibm.com in view of D. Kranzlmuller, S. Gradbner, J. Volkert, "Event graph 
visualization for debugging large applications 9 ', Proc. of the SIGMETRICS symposium on 
Parallel and distributed tools, Philadelphia, PA, United States, Pages: 108-117 (hereinafter 
Kranzlmuller). 

Claim 1: 

Ma teaches a method of monitoring events in a computer network, the method 
comprising: 

Said computer network triggering said events, each event being provided with attribute 
values allocated to a given set of attributes of said each event ( The term "attributes" are not 
clear as it may be related to the data object attributes for each event or the pattern attributes for 
each pattern for a plurality of data objects : However, the pattern attributes for a plurality of 
data objects are also related to the data object attributes as a pattern is computed from the 
plurality of data objects. The cited reference teach mapping a plurality of data attributes to item 
to identify correlations across different hosts and event types by using the mapping that maps the 
pair of event type and host name to item and leaves key empty. See Page 11. Moreover, the cited 
reference in Page 1, second paragraph, explicitly teaches the attribute values, see the last 
paragraph of Page 6 and the first and second paragraphs of Page 8, the last paragraph of Page 
12, and the real data set collected from a production computer network containing thousands of 
managed nodes including routers, hubs and servers are described in the last paragraph of page 
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3 and identifying unknown event patterns that can be used for real-time monitoring is described 
in the second paragraph of page 3. Ma has also taught a plurality of pattern attributes related to 
the one or more significant measurements such as the co-occurrences, i.e., the total number of 
times that two hosts generate events within a predefined time window, the conditional probability 
of the two hosts, i.e., the probability of a host generating an event given the observation that the 
other host has generated an event, the chi-squared test and so on); 

Simultaneously monitoring various event attributes versus the arrival time of said events 
( e.g., Fig. 5(b) displays two different attributes for the events; Figs. 2 and 4 show v-axis is the 
host name attribute as well as the coloring of attribute such as "authentication failure " events in 
red and "SNMP request events in green; therefore, at least two event attributes such as host 
name, authentication failure, SNMP request have been simultaneously monitored in the plot of 
Figs. 2 and 4) : 

Providing an event display with a cross plot having x and y coordinate axes, the x-axis 
presenting a time period and the y-axis present an attribute value range (e.g., The cited reference 
teach mapping a plurality of data attributes to item to identify correlations across different hosts 
and event types by using the mapping that maps the pair of event type and host name to item and 
leaves key empty. See Page 11. Figs. 2, 4, 6, 7, 9 and the third paragraph of Page 8 describes a 
scatter plot or cross plot having an y-axis representing around 160 hosts of a communication 
network and the x axis has been described in the figures as well as the first paragraph of page 6; 
for attribute value range, see these figures as well as the description in the second paragraph of 
Page 8); 
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Determining a primary attribute of the events selected from the given set of attributes to 
be presented with its attribute values on the y-axis of the cross plot {e.g., The cited reference 
teach mapping a plurality of data attributes to item to identify correlations across different hosts 
and event types by using the mapping that maps the pair of event type and host name to item and 
leaves key empty. The attributes including the categorical attributes or temporal attributes and 
the primary attribute values are displayed in Figs. 2, 4, 6 and 7 and multiple attributes are 
described in the last paragraphs of Page 11 and 12), 

Allocating a first display label (e.g., one of the colors indicating the patterns such as the 
Pattern 1, Pattern 2, Pattern 3 and Pattern 4 as marked in the scatter plot or the cross plot of 
Figs. 2, 6, 7 and 9 such as "Link down of host A " and "node down of host B M ) to the events 
(e.g., alarms in Page 10) indicating (mapping of the attributes wherein the mapping results are 
shown in the plots with the patterns identifying/indicating the attribute values of the primary 
attribute related to the categorical attribute such as the host A or the host B. Moreover, the 
pattern attribute values identifying the pattern 1 and the pattern 2 also describe the primary 
attribute such as the host A and the host B for the patterns such as "Link down of host A " and 
"node down of host B") the attribute values of the primary attribute (e.g., co-occurrence of 
certain events or the categorical attribute and event type associated with the events wherein the 
primary attribute is related to the primary attribute of the data set or the primary attribute of the 
patterns; See Page 12 and the key attribute values are described in the second paragraph of 
page J), providing a pattern algorithm (the pattern algorithm is described in Fig. 7 as well as the 
mining algorithm as described in the last paragraph of page 12 or the EventMiner for ordering 
categorical values wherein the event generating, say every 300 seconds, may be identified) to 
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detect whether an arrived event (arrived event are the selected event objects or the selected data 
objects in a specific time range related to the events progressively loaded from a database or the 
mining alarm logs in a real time system; see first paragraph of page 13 and the last paragraph 
of page 10 and a new query that retrieves the relevant data objects for more analysis in which a 
new query is restricted to a range constraint for a numerical attribute; see the last paragraph of 
page 10) is part of the given pattern (is part of the given pattern such as the Pattern 1 or the 
Pattern 2 from the identifiable patterns such as the SNMP request, authentication failure, link 
up, link down, port up, port down wherein authentication failure indicates a possible security 
intrusion and link down of host A indicates the attribute associated with the data objects as 
well as the attribute associated with the event) on the basis of a comparison of the attributes 
allocated to the given pattern and of the attributes assigned to the arrived event (e.g., the co- 
occurrence measurements for events can be computed for the data sets or the data objects and 
the temporal correlation with the selected hosts from the other side of the AttributeViewer can be 
identified using the color linkage by the coloring and filtering algorithm or the data mining 
algorithm in which the difference or similarity in terms of patterns indicated by colors is 
compared; see page 12-13), providing a mapping algorithm to map any attribute value of an 
attribute selected from the given set of attributes onto the y-axis of the cross plot (see the last 
paragraphs of Page 11-12; The cited reference teach mapping a plurality of data attributes to 
item to identify correlations across different hosts and event types by using the mapping that 
maps the pair of event type and host name to item and leaves key empty.), 

Allocating a second display label (e.g., one of the colors indicating the patterns such as 
the Pattern 1, Pattern 2, Pattern 3 and Pattern 4 as marked in the scatter plot or the cross plot of 
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Figs. 2, 6, 7; SNMP request, authentication failure, link up, link down, port up, port down 
wherein authentication failure indicates a possible security intrusion may be used as display 
labels as well The attribute values may be used as display labels as well) to the events indicating 
the attribute values of the attributes being uncovered {discovered) as part of the given pattern 
(e.g., the co-occurrence measurements for events can be computed and the temporal correlation 
with the selected hosts from the other side of the AttributeViewer can be identified using the 
color linkage by the coloring and filtering algorithm or the data mining algorithm in which the 
difference or similarity in terms of patterns indicated by colors is compared; see page 12-13; the 
display labels indicate the attribute values of the attributes being discovered as part of the given 
pattern, for example, the second host was near a critical level for a key metric indicates the 
attribute values of the attributes being discovered as part of the given pattern), plotting all the 
events arrived within the time period and including an attribute value allocated to the primary 
attribute into the cross plot with the first display label indicating the primary attribute, the 
position of the first display label of each event in the cross plot being determined on the basis of 
the attribute value of the primary attribute of the event and its arrival time (e.g., The cited 
reference teach mapping a plurality of data attributes to item to identify correlations across 
different hosts and event types by using the mapping that maps the pair of event type and host 
name to item and leaves key empty. Figs. 2, 4, 6, and 7 and the related paragraphs mentioned 
above in "allocating a first display label", e.g., one of the colors indicating the patterns such as 
the Pattern 1, Pattern 2, Pattern 3 and Pattern 4 as marked in the scatter plot or the cross plot of 
Figs. 2, 6, 7; SNMP request, authentication failure, link up, link down, port up, port down 
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wherein authentication failure indicates a possible security intrusion may be used as display 
labels as well. The attribute values may be used as display labels as well), and 

Plotting the all events arrived within the time period (Figs. 2, 4, 6, and 7 plot the all 
events within a specific time range) and being detected by means of the pattern algorithm (by the 
event miner algorithm) as part of the given pattern into the cross plot with the second display 
label (e.g., one of the colors indicating the patterns such as the Pattern 7, Pattern 2, Pattern 3 
and Pattern 4 as marked in the scatter plot or the cross plot of Figs. 2, 6, 7 and 9 or Pattern 2 or 
the Green Spike in Fig. 10), the position of the second display label of each event in the cross 
plot being determined by the mapping algorithm on the basis of the attribute value of the 
attribute of the event (see Figs. 1-10) on the basis of the attribute value of the attribute of the 
event being uncovered (uncovered for example in the alarm log and uncovered by the mining 
algorithm) as part of the given pattern and its arrival time (discovered as part of the given 
pattern such as Patterns 1-4 and its arrival time; all the selected events are in a specific time 
range as plotted in Figs. 2, 4, 6, 7 and 10). 

In other words, Ma discloses an apparatus and system for monitoring events in a 
computer network enabling an operator of an intrusion-detection system to simultaneously 
monitor various event attributes versus the arrival time of the events, for example, authentication 
failure indicates a possible security intrusion may be used as display labels. The cited prior art 
teaches in Fig. 7 and the last paragraph of the Page 12 plotting the primary attribute (e.g., with 
the attribute values indicating the troublesome hosts having significantly high event counts) 
versus time with the attribute values for events in a communication network and the primary 
attribute for a host is selected from a plurality of attributes related to the categorical values, the 
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one or more significant measurements such as the co-occurrences (i.e., the total number of times 
that two hosts generate events within a predefined time window), the conditional probability of 
the two hosts (i.e., the probability of a host generating an event given the observation that the 
other host has generated an event), the chi-squared test and so on. 

Fig. 4 shows the coloring of the events having the primary attribute with the patterns 
indicating the authentication failure and SNMP request in order to differentiate using the 
coloring the events with authentication failure from other events. A pattern label is assigned to 
the events falling into the same pattern. Finally, the operator can view different event attributes 
by switching menus (Fig. 6). 

Ma has taught in Fig. 7 and the last paragraph of the Page 12 plotting the primary 
attribute (e.g., with the attribute values indicating the troublesome hosts having significantly high 
event counts) versus time with the attribute values for events in a communication network. Ma 
has also taught a plurality of attributes related to the one or more significant measurements such 
as the co-occurrences (i.e., the total number of times that two hosts generate events within a 
predefined time window), the conditional probability of the two hosts (i.e., the probability of a 
host generating an event given the observation that the other host has generated an event), the 
chi-squared test and so on wherein the attribute values are plotted in the same plot. See Figs. 2, 6, 
7 and 9. Many significant event patterns are simultaneously identified within a single plot 
without the operator's switching between the various event attributes. 

Ma discloses display label including the colors for coloring the different patterns that 
indicate the attribute values of the primary attribute such as the co-occurrences of some specific 
events within a predefined time window. 
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Ma teaches in Fiz. 5(b) displays two different attributes for the events; Fizs. 2 and 4 
show y-axis is the host name attribute as well as the coloring of attribute such as "authentication 
failure " events in red and "SNMP request events in green; therefore, at least two event 
attributes such as host name, authentication failure, SNMP request have been simultaneously 
monitored in the plot of Fizs. 2 and 4 . The menu options shown in Fig. 6 allow for the y-axis 
attribute mappings be changed. Moreover, Ma teaches mapping a plurality of attributes to item 
and viewing both numerical attribute and categorical attribute on a same plot in Fig. 7 (See Page 
10). Thus, Ma at least teaches or suggests the claim limitation of viewing a secondary attribute of 
said each event together with the primary attribute on said display. 

Moreover, Kranzlmuller teaches viewing a plurality of attributes P0-P7 for the events in a 
communication network. Kranzlmuller teaches viewing a secondary categorical attribute (e.g., an 
event belonging to the category P0) of said each event together with the primary categorical 
attribute (e.g., an event belonging to the category PI) on said display (See Page 109, Fig. 2). 

It would have been obvious to one of the ordinary skill in the art at the time the invention 
was made to have incorporated Kranzlmuller' s teaching into Ma to view a plurality of attributes 
related to the events on the same display because Ma at least suggests the claim limitation of 
viewing a secondary attribute of said each event together with the primary attribute on said 
display at least by the means of mapping of the secondary attribute and coloring the secondary 
attribute and therefore the secondary attribute and the primary attribute are distinctly viewed ( See 
Fizs. 2 and 4 of Ma wherein a plurality of secondary attributes are colored so as to be viewed. 
Althouzh the menu options are used in Fiz. 6 of Ma to switch the primary attribute to the 
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another attribute, the secondary attribute can be viewed by the coloring mechanism as disclosed 
and can be further queried and displayed in different plots on the same display ). 

One of the ordinary skill in the art would have been motivated to do so such that the 
inter-process dependency among events and event categorical attributes are visualized 
(Kranzlmuller Page 109). 

Re Claims 2-3: 

Ma further discloses selecting the new events within the specified time period and 
plotting the new events within the shifted time period into the cross plot. See Figs. 6, 7, 9 and 10 
in which events in the two time periods are drawn and the spikes are identified and the newly 
selected events are redrawn as determined by the data mining algorithm for the time period 
during which the new events are retrieved. The database records the attribute values and the 
arrival time of a new event. The pattern algorithm determines on the basis of the recorded 
attribute values of event whether or not the newly arrived event in the database and the newly 
retrieved event from the database includes an attribute value of the primary attribute, for a certain 
host and event type, as determined the pattern algorithm using the mapping mechanism for 
mapping a plurality of attributes including the primary attribute into an item for presentation, and 
the pattern algorithm also determines if the newly arrived event, e.g., alarm, includes the 
attribute value for the primary attribute, e.g., a certain host or a certain event type including 
SNMP request, authentication failure, link up, link down, port up, port down, link down of host 
A, node down of host B etc., shifting the x-axis of the cross plot for the new time period so that 
the new time period being presented on the x-axis covers the arrival time of the event and 
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plotting the event arrived within the shifted time period into the cross plot with the first display 
label indicating the primary attribute. 

Ma discloses determining on the basis of the recorded attribute values of event from the 
alarm log or the database whether or not the newly arrived event for the new time period is part 
of the given pattern using the pattern algorithm on the basis of a comparison of the attributes 
allocated to the given pattern, for example a composite pattern of Page 13, on the basis of a 
comparison analysis, and of the attribute assigned to the arrived event wherein the newly arrived 
event are determined by the retrieval time ranges and data ranges including the host names and 
types from the database. Ma further discloses determining if the newly arrived event includes an 
attribute value of the given pattern including the mutual dependence measurement of an m- 
pattern adding the event to the previous events being detected as part of the given pattern, and 
redrawing all the events being associated with given pattern in the cross plot by updating the 
cross plot. 

Re Claims 4-5: 

Ma further discloses the third display label and the fourth display label indicating the new 
patterns (See the three colored spikes in Fig. 6 and the four patterns in Fig. 7). 

Ma discloses determining if the newly arrived event does not include an attribute value of 
the given pattern, on the basis of the recorded attribute values of all previous arrived events from 
the alarm logs or from the database, by means of the mining algorithm whether or not the newly 
arrived event is part of a new pattern on the basis of a comparison (Page 13) of the attributes 
allocated to the new pattern and of the attributes assigned to the arrived events. Ma discloses 
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allocating a third display label to the events, including the coloring of the new pattern, indicating 
the attribute values of the attributes being discovered as part of the new pattern wherein a large 
amount of patterns can be discovered by the mining algorithms. Ma discloses plotting the all 
events being detected by means of the mining algorithm as part of the new pattern into the cross 
plot with the third display label indicating the new pattern, the position of the third display label 
of each event in the cross plot being determined by the mapping algorithm (Page 12 for the 
mapping of the attributes into item and thereby determining the positions of the patterns on the 
cross plot) on the basis of the attribute value of the attribute of the event (event types, host names 
etc) being uncovered as part of the new pattern, such as SNMP request, authentication failure, 
link up, link down, port up, port down, link down of host A, node down of host B etc, and its 
arrival time in the database. 

Ma discloses removing all the events including an attribute value allocated to the primary 
attribute from the cross plot, if a primary attribute to be presented with its attribute values on the 
y-axis of the cross plot is changed (if the mapping mechanism for mapping a plurality of 
attributes including the host names and event types are changed), allocating a fourth display label 
including SNMP request, authentication failure, link up, link down, port up, port down, link 
down of host A, node down of host B etc, to the events indicating the attribute values of the new 
primary attribute (e.g., category attribute, event type of data objects). Ma discloses plotting all 
the events arrived within the time period as retrieved from the database and including an attribute 
value allocated to the new primary attribute into the cross plot with the fourth display label, 
including SNMP request, authentication failure, link up, link down, port up, port down, link 
down of host A, node down of host B etc, indicating the new primary attribute, such as the host 
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name and event type, the position of the fourth display label of each event in the cross plot being 
determined by the mapping mechanism in Page 12 on the basis of the attribute value of the 
primary attribute of the event and its arrival time as determined by the retrieval condition from 
the database. 

Re Claim 6: 

Ma further discloses the operator selects the events to be plotted and displaying textual 
and coloring information associated with the selected events on the event display (Page 4 and 
Figs. 6, 7, 9-10). 

Ma discloses plotting all attribute values, including the attributes such as event type, link 
down, and host name, host A, in the patterns marked as the link down of host A, node down of 
host B, recorded for an event, as retrieved from the database, with the respective display label 
into the cross plot if the event is selected by an operator and displaying textual information 
associated with the selected event on the event display. 

Re Claim 7: 

Ma further discloses a pattern algorithm such as the data mining algorithm suitable to 
perform multi-attribute pattern recognition (Figs. 6, 7, 9-10). 

Ma discloses the mining algorithm being suitable to perform multi-attribute pattern 
recognition using the mapping mechanism (Page 12) and the pattern comparisons/matching 
(Page 13). 
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Re Claim 8: 

Ma further discloses using color such as Red and Green to color the pattern Spikes and 
Pattern 1, Pattern 2 5 Pattern 3, Pattern 4 for specific mark layouts (Figs. 6, 7, 9-10). 
Ma discloses each display label includes different colors marking the events. 

Re Claim 9: 

Ma further discloses all events being uncovered as part of the pattern being clustered by 
the display label such as Red Spikes, Green Spikes (Figs. 6, 7 and 9-10). 

Ma discloses all events being discovered as part of the pattern as clustered by the 
different labels including Red Spikes and Green Spikes to indicate one of the plurality of events 
such as SNMP request, authentication failure, link up, link down, port up, port down, link down 
of host A, node down of host B etc, indicating the new primary attribute. 

ReClaim 10: 

Ma further discloses a data mining algorithm and GUI (Page 14). Ma discloses the 
mining algorithm carrying the steps as recited in the claim 1 . 

Re Claim 11: 

Ma further discloses the program code being stored on data carrier (see page 5). Data 
carrier is inherent within the computer embodiment of Page 5. 



Re Claim 12: 
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Ma further discloses an event visualization device for monitoring events in a computer 
network (Page 3). The cited reference teach mapping a plurality of data attributes to item to 
identify correlations across different hosts and event types by using the mapping that maps the 
pair of event type and host name to item and leaves key empty. See Page 11. Moreover, the cited 
reference in Page 1, second paragraph, explicitly teaches the attribute values, see the last 
paragraph of Page 6 and the first and second paragraphs of Page 8, the last paragraph of Page 
12, and the real data set collected from a production computer network containing thousands of 
managed nodes including routers, hubs and servers are described in the last paragraph of page 
3 and identifying unknown event patterns that can be used for real-time monitoring is described 
in the second paragraph of page 3. 

Re Claims 13 and 15: 

Ma further discloses an implementation of the Event Miner algorithm on the computer 
(Page 4-5). 

Claim 14: 

The claim 14 is subject to the same rationale of rejection set forth in the claim 1. 
Claim 16: 

The claim 16 is subject to the same rationale of rejection set forth in the claims 2-4. 
Claim 17: 

The claim 17 is subject to the same rationale of rejection set forth in the claim 5. 
Claim 18: 

The claim 18 is subject to the same rationale of rejection set forth in the claims 2-4. 



Application/Control Number: 10/798,070 
Art Unit: 2628 



Page 24 



Claim 19: 



The claim 19 is subject to the same rationale of rejection set forth in the claim 5. 



Claim 20: 



The claim 20 is subject to the same rationale of rejection set forth in the claim 1. 



Conclusion 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jin-Cheng Wang whose telephone number is (571) 272-7665. 
The examiner can normally be reached on 8:00 - 6:30 (Mon-Thu). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kee Tung can be reached on (571) 272-7794. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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